Added new script modified from the FreeBSD release to avoid kernel panics.
authorAlan J. Pippin <ajp@pippins.net>
Sun, 20 Apr 2008 14:10:27 +0000 (08:10 -0600)
committerAlan J. Pippin <ajp@pippins.net>
Sun, 20 Apr 2008 14:10:27 +0000 (08:10 -0600)
100.chksetuid [new file with mode: 0755]

diff --git a/100.chksetuid b/100.chksetuid
new file mode 100755 (executable)
index 0000000..06151cf
--- /dev/null
@@ -0,0 +1,77 @@
+#!/bin/sh -
+# 
+# Description: FreeBSD comes with the following script that is run
+#              weekly as part of its periodic weekly security scripts.
+#              However, their version of the script does NOT ignore
+#              .zfs/snapshot directories. On a system with limited
+#              resources, this can lead to a "kmem_map too small" 
+#              kernel panic when this script runs. Somehow, ZFS
+#              kernel memory usage explodes when performing recursive
+#              find operations on .zfs snapshot locations. This
+#              is the modified version of that script, which excludes
+#              searching in .zfs snapshot directories.
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD: src/etc/periodic/security/100.chksetuid,v 1.8.14.1 2008/01/29 00:22:33 dougb Exp $
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+. /etc/periodic/security/security.functions
+
+rc=0
+
+case "$daily_status_security_chksetuid_enable" in
+    [Yy][Ee][Ss])
+       echo ""
+       echo 'Checking setuid files and devices:'
+       # XXX Note that there is the possibility of overrunning the args to ls
+       MP=`mount -t ufs,zfs | egrep -v " no(suid|exec)" | awk '{ print $3 }' | sort`
+       if [ -n "${MP}" ]
+       then
+           set ${MP}
+           while [ $# -ge 1 ]; do
+               mount=$1
+                shift
+                dotzfs=`echo "$mount" | grep "\.zfs"`
+               [ -n "$dotzfs" ] && continue;
+               find $mount -xdev -type f \
+                       \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
+                       \( -perm -u+s -or -perm -g+s \) -print0
+           done | xargs -0 -n 20 ls -liTd | sed 's/^ *//' | sort -k 11 |
+             check_diff setuid - "${host} setuid diffs:"
+           rc=$?
+       fi;;
+    *) rc=0;;
+esac
+
+exit $rc